Blue Team Tools

Paths

Blue Team Tools

Authors: Aaron Rosenmund, Josh Stroschein, Joe Abraham, Shoaib Arshad, Zach Roof, Tim Coakley, Guillaume Ross

MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a... Read more

What you will learn

  • What the function of the tool is
  • Where to get it
  • How to use the tool to fill a gap in enterprise security

Pre-requisites

  • Security fundamentals
  • Ethical hacking fundamentals
  • Security testing fundamentals

Introduction

The first course in this series discusses the use of open source, blue team tools to fill the gaps in your enterprise security, in turn, enable your information security organization to evolve their capabilities as fast as the threat actors you are defending against.

Blue Team Tools: Defense against Adversary Activity Using MITRE Techniques

by Aaron Rosenmund

Dec 9, 2020 / 19m

19m

Start Course
Description

Blue Teams have one of the most challenging jobs in the world, finding the bad actor needle in the mound of needles. Attacker techniques are continually evolving, and the threat surface and required data for analysis is constantly increasing. In this course, Blue Team Tools: Defense against Adversary Activity using MITRE Techniques, you'll cover how to utilize Blue Team Tools to protect, detect, and respond against targeted threat actor techniques in an enterprise environment. First, you'll learn the purpose and origin of Blue Team Tools and the functions that they fulfill in modern cybersecurity organizations. Next, you'll leverage MITRE ATT&CK and Shield to get a 360-degree view of attack scenarios and the data and capabilities you need to stop them. Finally, you'll analyze your organization's tooling gaps and how Blue Team Tools can fill them. When you're finished with this course, you'll have the skills and knowledge to leverage the Blue Team Tools skill path to enable your security organization to evolve their capabilities as fast as the threat actors you are defending against.

Table of contents
  1. Course Overview
  2. Blue Team Tool’s Vital Role in Enterprise Security
  3. Resources

Network Analysis

In this section, you will learn about the tools associated with network analysis to detect related data source TTPs and actively meet the adversary's activity with a response before you encounter it.

Network Analysis with Arkime

by Josh Stroschein

Dec 11, 2020 / 45m

45m

Start Course
Description

Finding undetected threats in your network through proactive network analysis requires the right tools. In this course, Network Analysis with Arkime, you’ll learn how to utilize Arkime to detect anomalous or malicious network traffic in an enterprise environment. First, you'll gain insight into how to detect common malware delivery patterns. Next, you’ll learn how to use Arkime to identify malware command and control. Finally, you’ll utilize the many features of Arkime to identify data exfiltration. When you’re finished with this course, you’ll have the skills and knowledge to detect these techniques using Arkime.

Table of contents
  1. Course Overview
  2. Identifying Initial Access, Command and Control, and Data Exfiltration with Arkime
  3. Resources

Network Analysis with pfSense

by Joe Abraham

Feb 25, 2021 / 38m

38m

Start Course
Description

Cyber attacks are hitting our networks daily, and some of them have become very advanced. Traditional firewalls can be used in order to help the process of detecting and blocking them. In this course, Network Analysis with pfSense, you’ll cover how to utilize pfSense to protect and detect against common attack and exfiltration techniques in an enterprise environment. First, you’ll demonstrate how to setup a decoy VPN server using pfSense to detect compromised accounts. Next, you’ll operate pfSense to block the use of alternate protocols by blocking unnecessary ports and protocols. Finally, you’ll analyze known anonymity and C2 networks and block them using pfSense’s DNS services. When you’re finished with this course, you’ll have the skills and knowledge to block and detect these techniques External Remove Services T1133, Exfiltration Over Alternative Protocol T1048, and Proxy: Multi-hop Proxy T1090.003 using pfSense.

Table of contents
  1. Course Overview
  2. Using pfSense to Block Malicious Network Activity

OS Analysis

In this section, you will learn about the tools associated with OS analysis to detect related data source TTPs and actively meet the adversary's activity with a response before you encounter it.

OS Analysis with HELK

by Aaron Rosenmund

Jul 21, 2020 / 29m

29m

Start Course
Description

Though many cyber attack techniques can be effectively and heuristically identified by analyzing the endpoint logs, there are surprisingly few capabilities that focus solely on parsing windows logs and OS data and providing a platform to perform advanced statistical analysis. In this course, OS Analysis with HELK, you’ll cover how to utilize Hunt ELK to detect adversary endpoint attack techniques in an enterprise environment. First, you’ll see the gap that HELK fills with Windows event log analysis. Next, you'll explore how to operate the advanced hunt features provided by HELK. Finally, you’ll learn how to analyze a live dataset to hunt for adversary activity. When you’re finished with this course, you’ll have the skills and knowledge to detect these techniques: Kerberoasting T1208, Bits Jobs T1197, and indicator removal on hosts T1070 using HELK.

Table of contents
  1. Course Overview
  2. Using Windows Event Logs with HELK to Hunt for Advanced Adversary Activity
  3. Resources

OS Analysis with RegRipper

by Shoaib Arshad

Sep 1, 2020 / 39m

39m

Start Course
Description

Windows Registry analysis is a fundamental step during any incident response scenario, as it provides conclusive evidence needed to support or deny any suspicious activity on a Windows system. In this course, you’ll cover how to utilize RegRipper to detect adversary endpoint attack techniques in an enterprise environment. First, you’ll demonstrate the RegRipper plugins which are a unique approach for Registry analysis. Next, you’ll operate RegRipper to run against various registry hives using a custom set of plugins. Finally, you’ll analyze Windows Registry to detect adversary activity on a Windows host. When you’re finished with this course, you’ll have the skills and knowledge to detect these techniques: Create or Modify System Process (T1543), Boot or Logon Autostart Execution (T1547), Exfiltration Over Physical Medium (T1052), using RegRipper.

Table of contents
  1. Course Overview (Tool Introduction)
  2. Analyzing Windows Registry with RegRipper
  3. Resources

OS Analysis with Wazuh

by Zach Roof

Dec 21, 2020 / 36m

36m

Start Course
Description

Detecting process-level and file-level attacks can be challenging. Additionally, many tools are "alert factories" that don't have the ability to remediate in-progress attacks. Luckily, Wazuh solves these problems! In this course, OS Analysis with Wazuh, you'll cover how to utilize Wazuh to respond to data exfiltration in an enterprise environment. First, you'll create a rule to detect malicious filesystem operations. Next, you'll uncover a rootkit through Wazuh by using a Python script. Finally, you'll leverage Wazuh's Active Response functionality to automatically quarantine the host (and prevent it from exfiltrating data). In this course, you will simulate all attacks through Merlin (a popular C2 service) so we can emulate real-world scenarios! (No prior Merlin experience is needed). When you're finished with this course, you'll have the skills and knowledge to detect these techniques: Scheduled Task/Job (T1053), Hijack Execution Flow (T1574), and Exfiltration Over C2 Channel (T1041).

Table of contents
  1. Course Overview
  2. Detecting Process-level and File-level Attacks with Wazuh
  3. Resources

OS Analysis with Volatility

by Tim Coakley

Jun 25, 2021 / 27m

27m

Start Course
Description

In this course, OS analysis with Volatility, you will cover how to utilize Volatility to identify and detect evidence of suspected compromise such as malicious commands and programs executed on a host computer system. You will learn how to extract the command line history from the volatile memory. You will also learn how to initiate an investigation of malicious programs and how to defend against malicious program execution. When you are finished with the course, you will have the skills and knowledge to aid in mitigating technique T1055 and 1059.

Table of contents
  1. Course Overview
  2. Detect and Respond with Volatility
  3. Resources

Infrastructure Analysis

In this section, you will learn about the tools associated with infrastructure analysis to detect related data source TTPs and actively meet the adversary's activity with a response before you encounter it.

Cloud Infrastructure Analysis with Scout Suite

by Guillaume Ross

Jun 15, 2020 / 29m

29m

Start Course
Description

It is impossible to manually identify all dangerous configurations, given how cloud services are exploding in numbers and complexity. In this course, Cloud Infrastructure Analysis with Scout Suite, you will gain the ability to identify cloud configuration issues with Scout Suite. First, you will learn how to create a vulnerable cloud environment. Next, you will discover how to install Scout Suite with minimal privileges. Finally, you will explore how to analyze the vulnerable cloud environment with Scout Suite. When you are finished with this course, you will have the skills and knowledge of Scout Suite needed to analyze cloud deployments for security issues.

Table of contents
  1. Course Overview
  2. Discovering Unsafe Cloud Configurations with Scout Suite
  3. Resources

Cloud Infrastructure Analysis with Prowler

by Tim Coakley

Mar 11, 2021 / 24m

24m

Start Course
Description

Ensuring your cloud environments are securely configured is an important element in developing a continuous cloud security program. In this course, Cloud Infrastructure Analysis with Prowler, you will see how to utilize Prowler to identify and detect security misconfigurations in the cloud in an enterprise environment. You will learn how to audit your cloud security accounts protecting your cloud environment. You will also get to see how to build a decoy network and how to analyze your cloud configurations for exposed services. When you are finished with this course, you will have the skills and knowledge to aid in mitigating technique T1526 using Prowler.

Table of contents
  1. Course Overview
  2. Identify, Assess, and Report Cloud Security Threats with Prowler
  3. Resources

Container Infrastructure Analysis with kube-hunter

by Zach Roof

Apr 20, 2021 / 42m

42m

Start Course
Description

“Common” Kubernetes (K8s) hardening suggests a focus on the control plane. But what if a cluster could be backdoored through the kubelet? In this course, Container Infrastructure Analysis with kube-hunter, we will use kube-hunter to investigate a K8s attack. First, you will use kube-hunter to enumerate security weaknesses in a K8s cluster. Second, you’ll use kube-hunter findings (i.e., a discovered kubelet endpoint) to investigate privilege escalation. Third, you’ll leverage the privilege escalation findings to detect a persistence method (i.e., a malicious container image) through Trivy . Fourth, you’ll harden K8s so the aforementioned attack can’t occur again! When you’re finished with this course, you’ll have the skills and knowledge to detect these techniques: System Services (T1569), Exploitation for Privilege Escalation (T1068), and Implant Container Image (T1525).

Table of contents
  1. Course Overview
  2. Detecting and Preventing Kubernetes Attacks with kube-hunter
  3. Resources

Container Infrastructure Analysis with Trivy

by Zach Roof

Apr 20, 2021 / 49m

49m

Start Course
Description

In this course, we will focus on automating docker image security scans:

  1. use Trivy (and a Github Action) to scan Dockerfiles within Github
  2. use Trivy to uncover a malicious image within a Docker registry
  3. perform an analysis on the malicious image to uncover the source of compromise
When you’re finished with this course, you’ll have the skills and knowledge to detect these techniques: Supply Chain Compromise (T1195), Implant Container Image (T1525).

Table of contents
  1. Course Overview
  2. Automating Docker Security Scans with Trivy
  3. Resources

File Analysis

In this section, you will learn about the tools associated with file analysis to detect related data source TTPs and actively meet the adversary's activity with a response before you encounter it.

File Analysis with TruffleHog

by Tim Coakley

Apr 15, 2021 / 23m

23m

Start Course
Description

In this course, File Analysis with TruffleHog you will cover how to utilize TruffleHog to identify and detect sensitive data such as credentials accidentally committed to source code repository environments. You will discover how to audit your source environments including recent and historic source code commits. You will learn how to place decoy credentials in source code repositories and analyze your repositories for exposed credentials. When you are finished with this course, you will have the skills and knowledge to aid in mitigating technique T1552 using TruffleHog.

Table of contents
  1. Course Overview
  2. Identify, Assess, and Report Credential Leakage with TruffleHog
  3. Resources